Re: [fw-wiz] Pix VPN endpoint and split-tunnel

From: Greg Spath (
Date: 10/17/05

  • Next message: Jay Archibald: "Re: [fw-wiz] Legal Release for Security Work"
    Date: Mon, 17 Oct 2005 16:31:37 -0400

    On Wed, 12 Oct 2005 10:45:10 -0400
    "Paul Melson" <> wrote:

    > -----Original Message-----
    > Subject: [fw-wiz] Pix VPN endpoint and split-tunnel
    > > I am trying to configure a cisco pix as a vpn endpoint for the
    > > cisco vpn
    > client and
    > > would like to force the client to use the corporate network for
    > > internet
    > access. I
    > > don't want to allow split-tunnel. I cant find any info on how to
    > > do this.
    > Is split
    > > tunnel the only way to give a vpn client internet access once they
    > > are
    > connected?
    > The short answer is yes. PIX-fu rule #1: the PIX is not a router.
    > It can't take traffic that arrives on one interface and pass it back
    > out that same interface, even when the traffic arrives via VPN
    > tunnel. That said, you can sort of solve this problem by having the
    > clients use a proxy server while connected via full tunnel. There
    > may or may not be an elegant way to automate this for your road
    > warriors, but this would really be independent of anything the PIX or
    > VPN client do. (Think login scripts, Group Policy, etc.)

    Not being a PIX admin, I didn't want to jump on this thread. I know
    that the contivity VPN gateways/clients that we use can be configured to
    not allow split-tunneling, and assumed pix could do the same.

    Anyway, on the subject of login scripts, group policy, etc, here is what
    I do for my alternate PPP over SSH solution on my linux laptop. The info
    may or may not help, but I thought I'd share. Yes, it's pretty basic
    when you see it, but it took me awhile to see this rather obvious
    solution :)

    On VPN Connect:
    1) create static route to remote gateway
    2) remove default route
    3) set new default route to internal server address (VPN endpoint,
    virtual address), and let that box do my routing.

    On Disconnect:
    1) restore default gateway to original
    2) remove static route to remote gateway

    This will route all traffic through your tunnel, but is not really a
    "split tunnel" because you can still hit your local subnet, and other
    hosts on that subnet can still reach you. That can be dealt with using
    firewall rules of some sort, not sure how easy that would be on a
    windows PC.

    > If it's a big enough issue that you're willing to spend time and
    > resources on it, I would recommend looking at the VPN3K concentrators
    > (or ASA 5500?). They can do exactly what you're asking for, plus they
    > possess a number of other features for managing VPN client users that
    > the PIX doesn't have. (Like dynamic VPN profile assignment via
    > RADIUS.)

    Agreed there. That is why we use Nortel contivities for our clients.
    The contivity is very good at providing client VPN with 2 factor auth.

    Good luck,

    -- Greg

    Greg Spath <>                        
    Infrastructure Security Analyst    
    Armstrong World Industries, Inc.
    firewall-wizards mailing list

  • Next message: Jay Archibald: "Re: [fw-wiz] Legal Release for Security Work"